Internet of Threats and Context Aware Security: Part One

by Junaid Chaudhry, Ahmed Ibrahim, and Ali Kashif Bashir

January 2017

“Internet of Things” (IoT): The assignment of Internet Protocol (IP) addresses to a plethora of devices, which lets them perform mundane tasks has left information security engineers with extensive grounds to cover. This causes concerns in technology acquisition. The volume of investment is estimated to be more than 1.7 trillion dollars by 2019 among end users, and 3.7 billion dollars among investors [8].

Internet Protocol version 6 (IPv6) was designed with large network volume and interoperability of hybrid networks and mobility management. However, [1] both the aforementioned, has critical issues when used with the for the Internet of Things . In [2] the challenges in applying TCP/IP in IoT networks at network and transport layer are discussed, which inspires this research. In [3] it is reported that IoT devices have TCP/IP stack implemented up to layer 3, i.e., with packet routing and forwarding capability. This leaves no margins for security at the device level. A comprehensive customized IPv6 addressing scheme is proposed in [4], which goes to show the mismatch between IoT and IPv6. An additional layer of business intelligence is inserted on top of conventional OSI layers and this is where security of business intelligence is addressed [5].

In 2003, Kim et al. aimed at integrating hybrid networks on a single integration platform [6]. In this project, individual clusters managed their own host mobility while connected with each other through gateways that facilitate interoperability [7]. The u-frontier project [7] faced serious issues over interoperability and protocol engineering especially while tested with smart devices from different manufacturers. Moreover, the gateway becomes the critical point of failure which is not recommended in a loosely coupled environment.

Despite sharing the same IP backbone, IoT networks should not be compared with the traditional networks in terms of layered security. The security concepts of end-to-end security can only be achieved in the IoT through application context specific collaborative processing. For example, an application that calculates the probability of rainfall at a certain geographical area, funded by the public money, and services built from the sensor data that are not provided to the customer for profit should not have restricted access to individual sensor data by a third party.

An example of the application context specific end to end security can be an application that is developed from a multi sensor data diffusion of the propriety data this is acquired in order to feed into the application. Such data carries no liability towards data quality and hence holds minimum security standards as per the law. Alternatively, an application that utilizes commercial raw data, that develops its application logic as an intellectual asset should safeguard their business logic and commercial raw data that the application is using. The information about the flow of data from node to node would not be very useful in this instance. For a fully commercial application that utilizes open source data and infrastructure, we summarize the following as security requirements for IoT applications:

– Collaborative Security Processing: The loose binding of sensor data with an application is of time limited manner, it just feels rational to have a group-based security policy that is inspired by the overlaying application for a certain amount of time.

– Architecture Agnostic Security Protocols: Due to hybrid nature of the sub-nets connected in an IoT environment, presence of diversity in vendor specific protocols is a realistic presumption. Although HTTP is pervasive, the SSL (the only dominant security protocol) is not going to be suitable for the whole of the IoT network due to variance in IoT devices’ capability.

– Entity Naming System Instead of an IP-based Architecture: The Semantic Internet of Things (SIoT) proposes to combine the field of semantic web and Internet of things [9]. Because each IP address assigned to an IoT device is going to form a domain, the problem of interlinking of domains has demonstrably been solved time and time again by ontology and semantic web community researchers. The rhetoric fits into the scenario where open access devices are constraint free but fails to comply with the complete picture.

– Fully De-centric Timing Protocols: Network Time Protocol (NTP) is the De-facto standard for clock synchronization between computer systems over packet switched variable latency data networks. The NTP works well over a network for ‘thick clients’. But for thin clients, we cannot use NTP because of bandwidth limitations, IoT processing and battery power limitations. The fully de-centric network timing protocol must be either event driven or process driven e.g. if a process takes 10 CPU cycles, the life of the IoT node should be 10 CPU cycles. Following this approach will make no two nodes identical to each other. In order to group similar nodes together, we shall require a node life-time indexing system that determines which two nodes are of the same age and vice versa.

– Data Management Techniques: The conventional data management techniques are going to be of little use due to absence of secondary storage in IoT devices. Smart data dissemination techniques should be borrowed from wireless smart sensor networks. Neighboring data verification, statistical analysis for skewness and error, and data privacy issues can be addressed through peer review of the transmitted data.

– Who is going to store the keys?: One of the key elements in the post IoT networks data encryption realms is who is going to store the keys? How are they going to be exchanged? Who is going to verify etc.? Should PKI be even considered for the IoT networks?

These are the issues that need to be addressed before concerted efforts towards IoT networks deployment are made. We, at Security Research Institute, Edith Cowan University are researching to find the answers to the above mentioned questions. The pragmatic nature of academia is to solve the underlying issues first and then deploy the products. Whereas the IoT networks industry players are going ahead with deployment while fixing the issues as they come, which is alarming as we have been down that road in 1980s Artificial Intelligence initiative and have failed to deliver on the promises of better, wellbeing life technologies.

Dr. Junaid Chaudhry is an information security and computer networks enthusiast. Currently, Junaid is a key member of the Security Research Institute at Edith Cowan University where along with his team, is working on cutting edge cyber security solutions. He is also leading a startup of perfectionistic bunch of security researchers, digital forensics and information retrieval experts, penetration testers and bug hunters, interdisciplinary research aficionados, software coders, social scientists, medical science researchers that are passionate about making the world a better and more secure place. He has spent more than 5 years in designing, delivering, and researching in institutes at tertiary level, 6 years at research centres, and for the last 5 years he has been working in the information security industry. He worked at University of Amsterdam, Qatar University, Universiti Teknologi Malaysia, Univeristy of Hail, Univeristy of Trento, and University of South Pacific. He has also worked with Al-Jazeera, State of Qatar, Qatar Foundation, FBK, etc as consultant. Dr. Chaudhry has obtained training at teaching excellence from Harvard Business School, Univeristy of Amsterdam, Universiti Teknologi Malaysia, and maintains a certified professional status with Australian Computing Society. Junaid’s research interests are cross disciplinary research, malware analysis, anomalies detection, cyber hunting, and digital forensics. He has published more than 50 papers and have authored 3 international books.

Dr. Ahmed Ibrahim received his BSc. (Hons) in Computing from Staffordshire University in 2005, Master of Computer Security from Edith Cowan University in 2008, and Ph.D. from Edith Cowan University in 2016. Presently, he is a Post-Doctoral Research Fellow at the Edith Cowan University Security Research Institute. Ahmed’s Ph.D. research was focused on detecting covertly hidden content in digital images. His areas of research include Steganography, Steganalysis, Digital Forensics, Network Security, Image Processing, Language Technologies, Machine Learning, Protocol Classification, and Internet of Things. Ahmed has previously worked as a Security Consultant, Lecturer, and Tutor in Australia; and over 17 years of experience working in the industry, government, and academia in the Maldives.

Dr. Ali Kashif Bashir received his Ph.D. in Computer Science and Engineering from Korea University, South Korea. He is currently working for Graduate School of Information Science and Technology, Osaka University. Dr. Ali is a senior member of IEEE and an active member of ACM and IEICE. He has given several invited and keynote talks and is a reviewer of top journals and conferences. His research interests include: cloud computing (NFV/SDN), network virtualization, IoT, network security, wireless networks, etc. He is also serving IEEE Internet Technology Policy eNewsletter as editor in chief.

Editor:

Dr. Rasheed Hussain received his B.S. in Computer Software Engineering from N-W.F.P University of Engineering and Technology, Peshawar, Pakistan in 2007, MS and PhD degrees in Computer Engineering from Hanyang University, South Korea in 2010 and February 2015, respectively. He also worked as a Postdoctoral Research Fellow in Hanyang University South Korea from March 2015 till August 2015. Furthermore, he worked as a Guest researcher in University of Amsterdam (UvA), Netherlands and consultant for Innopolis University, Russia from September 2015 till June 2016. Dr. Hussain is currently working as Assistant Professor at Innopolis University, Russia and establishing a new Masters program (Secure System and Network Engineering). He has authored and co-authored more than 45 papers in renowned national and international journals and conferences. He serves as reviewer for many journals from IEEE, Springer, Elsevier, and IET that include IEEE Sensors Journal, IEEE TVT, IEEE T-ITS, IEEE TIE, IEEE Comm. Magazine, Elsevier ADHOC, Elsevier JPDC, Elsevier VehCom, Springer WIRE, Springer JNSM, and many more. He also served as reviewer and/or TPC for renowned international conferences of repute including IEEE INFOCOM, IEEE GLOBECOM, IEEE VTC, IEEE VNC, IEEE ICC, IEEE PCCC, IEEE NoF, and many more.

Technology Policy and Ethics

IEEE Future Directions considers the reflection of technology through the lens of social implications a key tenant of our work as we incubate and promote technologies. Technology Policy and Ethics will present articles that address policy and ethics considerations in developing new technologies.